Discussions of cybersecurity are making their way into boardrooms — but that doesn't mean C-suite executives are fully up-to-date on threats, vulnerabilities and remediation techniques. As noted by The Wall Street Journal, just 11 percent of board members surveyed in a recent National Association of Corporate Directors study claimed a "high level" of knowledge about cybersecurity best practices. The report also revealed that one industry vertical — healthcare — had executives with the least understanding; 30 percent said they had "little knowledge" of these risks. The disconnect raises a question: Is it time for a healthcare cybersecurity checkup?
A CA Veracode whitepaper, entitled "State of Software Security V6: Focus on Industry Verticals," takes a hard look at industry verticals and how they compare across the spectrum of cybersecurity. Healthcare does well in some areas; for example, when it comes to "flaw density," defined as the number of flaws per megabyte, healthcare apps came in at just 15 flaws/MB, well under verticals such as manufacturing, which reported 352 flaws/MB.
When it comes to compliance, however, healthcare didn't fare so well, with 69 percent of health agencies failing to meet government and regulatory body expectations. To some extent, this shortfall links to the strict standards placed on health companies because they deal with large volumes of high-value personal information. But even when problems are detected, healthcare companies lag behind, with just 43 percent of flaws fixed after being identified. In other words, healthcare cybersecurity is a mixed bag at best.
According to the American Journal of Managed Care, however, possible risks can pose serious problems for companies, with 90 percent of healthcare companies and 60 percent of their business partners reporting that they've experienced a data breach; 80 percent said they've endured multiple breaches over the last five years. And as noted by Healthcare IT News, two-thirds of organizations asked by HIMSS said they recently endured a "significant security incident," yet only 12 percent conduct mock cyberdefense exercises to test overall security.
So, how do healthcare companies cope with the specter of data breach events? The HIMSS study found IT professionals report using an average of 11 security solutions to help safeguard data, but companies may be fighting the wrong battle. While they're using tried-and-true techniques such as firewalls and data encryption to stop malicious actors, they often ignore the largest threat uncovered by the CA Veracode whitepaper: code quality.
Fully 80 percent of healthcare companies struggle with this problem, while 61 percent grapple with cryptographic issues and 60 percent are fighting the battle of information leakage. Furthermore, the study found that remediation efforts almost always focused on high-severity flaws, driving 58 percent reduction in flaw density over time, while less-critical flaws saw just 14 percent improvement.
Healthcare agencies are in a difficult position when it comes to cybersecurity. Patients and doctors demand easy access, while federal and corporate regulatory bodies require compliance and strict permissions policies. The result is a fragmented security landscape that focuses on issues that need to be fixed immediately, but largely ignores less severe issues until they're effectively exploited by attackers. Simply put, improved prognosis requires a change in habit — a shift from reactive to proactive code management and remediation. Healthcare cybersecurity isn't terminal, but there's a long road to full recovery.
Time to dive deep and learn more about the state of cybersecurity for health agencies? Download CA Veracode's State of Software Security in its entirety.
Photo Source: Flickr